[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: CSI (Security Policy) Help



On Sat, Jan 31, 2009 at 7:59 PM, seth vidal <skvidal fedoraproject org> wrote:
> On Sat, 2009-01-31 at 21:30 -0600, Mike McGrath wrote:
>> On Sat, 31 Jan 2009, Frank Chiulli wrote:
>>
>> > So I've implemented the CSI (Security Policy) as previously posted by Mike
>> > (http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html-singel/)
>> >
>> > Now I'm seeing the following messages in /var/log/messages:
>> > Jan 31 19:09:21 localhost kernel: FW-REJECT IN=eth0 OUT=
>> > MAC=ff:ff:ff:ff:ff:ff:00:16:01:41:10:5b:08:00 SRC=192.168.2.248
>> > DST=192.168.2.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
>> > SPT=137 DPT=137 LEN=58
>> >
>> > Jan 31 19:09:21 localhost kernel: FW-REJECT IN=eth0 OUT=
>> > MAC=ff:ff:ff:ff:ff:ff:00:0e:3b:02:0e:b7:08:00 SRC=192.168.2.250
>> > DST=192.168.2.255 LEN=229 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
>> > SPT=138 DPT=138 LEN=209
>> >
>> >
>> > 192.168.2.248 is a NAS device
>> > 192.168.2.250 is a Hawking print server
>> >
>> > I'm not an iptables expert.  Usually I just leave it alone.  Can
>> > someone help me write one or more rules to eliminate the messages?
>> >
>>
>> I suspect that before you were blocking these messages but didn't notice.
>> You'll see the "DPT=137" and "DPT=138".  Those are both ports that the
>> various IP's are trying to hit on your machine.  If you check out those
>> ports in /etc/services
>>
>> In this case those devices seem to be using netbios.  If you want to get
>> rid of them you can just remove the:
>>
>> -A INPUT -j LOG --log-prefix "FW-REJECT "
>>
>> Or setup netbios, or block the ports explicitly or allow it and let them
>> drop naturally.
>
> Those are windows/samba/cifs ports. if you've got samba running and/or a
> windows (or now-adays even a mac) running on the same network  you'll
> probably find your culprit.
>
> -sv
>
>
>

I'm not running samba.  If I put the following rule before the LOG
rule, will the packets be dropped and the messages stopped?

-A INPUT -p udp -s 192.168.0.0/24 -d 192.168.0.0/24 -m multiport
--ports 137,138 -j DROP

Frank


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]